turbot/alicloud

GitHub
steampipe plugin install alicloudsteampipe plugin install alicloud
alicloud_accountalicloud_action_trailalicloud_cas_certificatealicloud_cms_monitor_hostalicloud_cs_kubernetes_clusteralicloud_cs_kubernetes_cluster_nodealicloud_ecs_auto_provisioning_groupalicloud_ecs_autoscaling_groupalicloud_ecs_diskalicloud_ecs_disk_metric_read_iopsalicloud_ecs_disk_metric_read_iops_dailyalicloud_ecs_disk_metric_read_iops_hourlyalicloud_ecs_disk_metric_write_iopsalicloud_ecs_disk_metric_write_iops_dailyalicloud_ecs_disk_metric_write_iops_hourlyalicloud_ecs_imagealicloud_ecs_instancealicloud_ecs_instance_metric_cpu_utilization_dailyalicloud_ecs_instance_metric_cpu_utilization_hourlyalicloud_ecs_key_pairalicloud_ecs_launch_templatealicloud_ecs_network_interfacealicloud_ecs_regionalicloud_ecs_security_groupalicloud_ecs_snapshotalicloud_ecs_zonealicloud_kms_keyalicloud_kms_secretalicloud_oss_bucketalicloud_ram_access_keyalicloud_ram_credential_reportalicloud_ram_groupalicloud_ram_password_policyalicloud_ram_policyalicloud_ram_rolealicloud_ram_security_preferencealicloud_ram_useralicloud_rds_backupalicloud_rds_databasealicloud_rds_instancealicloud_rds_instance_metric_connectionsalicloud_rds_instance_metric_connections_dailyalicloud_rds_instance_metric_cpu_utilizationalicloud_rds_instance_metric_cpu_utilization_dailyalicloud_rds_instance_metric_cpu_utilization_hourlyalicloud_security_center_field_statisticsalicloud_security_center_versionalicloud_slb_load_balanceralicloud_vpcalicloud_vpc_dhcp_options_setalicloud_vpc_eipalicloud_vpc_flow_logalicloud_vpc_nat_gatewayalicloud_vpc_network_aclalicloud_vpc_route_entryalicloud_vpc_route_tablealicloud_vpc_ssl_vpn_client_certalicloud_vpc_ssl_vpn_serveralicloud_vpc_vpn_connectionalicloud_vpc_vpn_customer_gatewayalicloud_vpc_vpn_gatewayalicloud_vpc_vswitch

Table: alicloud_ram_credential_report

Retrieves a credential report for the Alibaba Cloud account. For more information about the credential report, see Generate and download user credential reports in the RAM Guide.

Please note: This table requires a valid credential report to exist. To generate it, please run the follow Aliyun CLI command:

aliyun ims GenerateCredentialReport --endpoint ims.aliyuncs.com

Examples

List users that have logged into the console in the past 90 days

select
user_name,
user_last_logon
from
alicloud_ram_credential_report
where
password_exist
and password_active
and user_last_logon > (current_date - interval '90' day);

List users that have NOT logged into the console in the past 90 days

select
user_name,
user_last_logon,
age(user_last_logon)
from
alicloud_ram_credential_report
where
password_exist
and password_active
and user_last_logon <= (current_date - interval '90' day)
order by
user_last_logon;

List users with console access that have never logged in to the console

select
user_name
from
alicloud_ram_credential_report
where
password_exist
and user_last_logon is null;

Find access keys older than 90 days

select
user_name,
access_key_1_last_rotated,
age(access_key_1_last_rotated) as access_key_1_age,
access_key_2_last_rotated,
age(access_key_2_last_rotated) as access_key_2_age
from
alicloud_ram_credential_report
where
access_key_1_last_rotated <= (current_date - interval '90' day)
or access_key_2_last_rotated <= (current_date - interval '90' day)
order by
user_name;

Find users that have a console password but do not have MFA enabled

select
user_name,
mfa_active,
password_exist,
password_active
from
alicloud_ram_credential_report
where
password_exist
and password_active
and not mfa_active;

Check if root login has MFA enabled

select
user_name,
mfa_active
from
alicloud_ram_credential_report
where
user_name = '<root>';

Query examples

.inspect alicloud_ram_credential_report

Alicloud RAM Credential Report

NameTypeDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
access_key_1_activebooleanIndicates whether the user access key is active, or not.
access_key_1_existbooleanIndicates whether the user have access key, or not.
access_key_1_last_rotatedtimestamp with time zoneSpecifies the time when the access key has been rotated.
access_key_1_last_usedtimestamp with time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
access_key_2_activebooleanIndicates whether the user access key is active, or not.
access_key_2_existbooleanIndicates whether the user have access key, or not.
access_key_2_last_rotatedtimestamp with time zoneSpecifies the time when the access key has been rotated.
access_key_2_last_usedtimestamp with time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
account_idtextThe Alicloud Account ID in which the resource is located.
additional_access_key_1_activebooleanIndicates whether the user access key is active, or not.
additional_access_key_1_existbooleanIndicates whether the user have access key, or not.
additional_access_key_1_last_rotatedtimestamp with time zoneSpecifies the time when the access key has been rotated.
additional_access_key_1_last_usedtimestamp with time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
additional_access_key_2_activebooleanIndicates whether the user access key is active, or not.
additional_access_key_2_existbooleanIndicates whether the user have access key, or not.
additional_access_key_2_last_rotatedtimestamp with time zoneSpecifies the time when the access key has been rotated.
additional_access_key_2_last_usedtimestamp with time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
additional_access_key_3_activebooleanIndicates whether the user access key is active, or not.
additional_access_key_3_existbooleanIndicates whether the user have access key, or not.
additional_access_key_3_last_rotatedtimestamp with time zoneSpecifies the time when the access key has been rotated.
additional_access_key_3_last_usedtimestamp with time zoneSpecifies the time when the access key was most recently used to sign an Alicloud API request.
generated_timetimestamp with time zoneSpecifies the time when the credential report has been generated.
mfa_activebooleanIndicates whether multi-factor authentication (MFA) device has been enabled for the user.
password_activebooleanIndicates whether the password is active, or not.
password_existbooleanIndicates whether the user have any password for logging in, or not.
password_last_changedtimestamp with time zoneSpecifies the time when the password has been updated.
password_next_rotationtimestamp with time zoneSpecifies the time when the password will be rotated.
user_creation_timetimestamp with time zoneSpecifies the time when the user is created.
user_last_logontimestamp with time zoneSpecifies the time when the user last logged in to the console.
user_nametextThe email of the RAM user.